WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI

Apache HertzBeat 1.8.0 - Remote Code Execution

ePati Antikor NGFW 2.0.1301 - Authentication Bypass

PJPROJECT 2.16 - Heap Bufferoverflow

Ninja Forms Uploads - Unauthenticated PHP File Upload

glances 4.5.2 - command injection

coreruleset 4.21.0 - Firewall Bypass

Flowise < 3.0.5 - Missing Authentication for Critical Function

telnetd 2.7 - Buffer Overflow

Ghost CMS 6.19.0 - SQLi

En 2026, les cyberattaques contre les PME ne commencent pas toujours par une faille spectaculaire. Très souvent, tout part d’un email bien tourné, d’un mot de passe déjà compromis.

États-Unis et Chine démantèlent neuf centres d’arnaque crypto à Dubaï, avec 276 arrestations.

Le FBI alerte sur des pirates qui détournent du fret via comptes compromis, faux chargements et usurpation.

Un pirate informatique, membre des groupes Akira et Conti, condamné à 8 ans prison. sa mission, analyser les données volées.

Il voulait se venger après son licenciement : 96 bases gouvernementales supprimées.

Pendant près de deux ans, les pirates du groupe Cl0p sont restés invisibles dans les machines d'un spécialiste de la gestion et du traitement de l'eau.

Instructure paie ShinyHunters après l’attaque de Canvas, tandis que le Congrès enquête sur la réponse cyber.

Fuite revendiquée contre la PACI au Koweït : données civiles, cartes sensibles et enjeu de renseignement.

West Pharmaceutical touché par un rançongiciel : données volées, production perturbée et enquête cyber en cours.

Foxconn confirme une cyberattaque en Amérique du Nord, revendiquée par Nitrogen, avec 8 To de données volées

In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo staff and external contacts. Whilst separate from

In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group. The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets. In

In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with tens of thousands of external email addresses and corporate cont...

In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their "pay or leak" campaign. The group claimed the breach was related to a compromise of the Anodot analytics platform and subsequently published a terabyte of data allegedly including 95M support ticket records. The data contained 197k unique email addresses a...

In March 2026, the AI-driven merchant data platform Woflow was named as a victim by the ShinyHunters data extortion group. The group subsequently published tens of thousands of files allegedly obtained from the company, comprising more than 2TB of data. The trove included hundreds of thousands of email addresses, names, phone numbers and physical addresses, with the data indicating it relat...

In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases.

In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names.

In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned.

In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment...

In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payme...